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■ Abstract. Information-theoretically secure (ITS) authentication is needed in Quantum Key Distri- 

bution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Weg- 
man&Carter, in the case of partially known authentication key. This scheme uses a new authentication 
key in each authentication attempt, to select a hash function from an Almost Strongly Universal 
hash function family. The partial knowledge of the attacker is measured as the trace distance be- 
tween the authentication key distribution and the uniform distribution; this is the usual measure in 
QKD. We provide direct proofs of security of the scheme, when using partially known key, first in the 
information-theoretic setting and then in terms of witness indistinguishability as used in the Universal 
Composability (UC) framework. We find that if the authentication procedure has a failure probability 
e and the authentication key has an e' trace distance to the uniform, then under ITS, the adversary's 
success probability conditioned on an authentic message-tag pair is only bounded by e + \T\e' , where 
|T| is the size of the set of tags. Furthermore, the trace distance between the authentication key dis- 
tribution and the uniform increases to \T\e' after having seen an authentic message-tag pair. Despite 
this, we are able to prove directly that the authenticated channel is indistinguishable from an (ideal) 
authentic channel (the desired functionality), except with probability less than e + e' . This proves that 
the scheme is (e + e')-UC-secure, without using the composability theorem. 
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1 Introduction 

Information-theoretically secure (ITS) message authentication codes [9jl2l] provide two users, 
Alice and Bob, with means to guarantee authenticity and integrity of messages exchanged 
over an insecure public channel. To achieve ITS (sometimes called unconditional security) 
the schemes used need shared secret between Alice and Bob. This procedure is secure against 
any adversary, even with unlimited computing and storage capability, provided that the key 
is perfectly secret. Such schemes normally have high demand for fresh secret key material, 
but even so they are used in some cryptographic schemes; especially in ITS key agreement 
schemes such as Quantum Key Distribution (QKD) (3J[TT] . QKD needs ITS authentication 
in order to thwart man- in-the- middle attacks [Tjl2|lo'|ITT]. 

This paper addresses security of an ITS Authentication scheme originally proposed by 
Wegman and Carter [21], in the case of partially known key. The scheme is based on secretly 
selecting a function from a certain family of functions, details will be given in what follows. 
The function is then used to create a message authentication code, a tag, from the message. 
The important property of the family in question is that revealing the output, the tag, from 
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one single use of a function does not reveal too much information on which function is used. 
This is to prohibit an attacker from identifying the function used, to generate a tag for 
another (forged) message. However, revealing two tags for two different messages may reveal 
enough to generate a tag for a third, so the function cannot be reused. Several messages can 
be authenticated securely by secretly selecting a new function for each desired authentication; 
we will refer to this mode of operation as WCA. Another is to hide the output, by encrypting 
the tag using one-time pad encryption, but in this paper, we only consider the WCA scheme. 

The WCA scheme is ITS provided that the authentication key is uniformly distributed 
(or perfect). In practice, however, cryptographic keys are imperfect if partial information 
has leaked about them. One example of this is QKD-generated keys, where an eavesdropper 
can extract some information on the key, tightly restricted by security parameters of the 
system. In this paper, we study security of the WCA scheme in the scenario where the key 
is partially known to the adversary. We measure the adversary's partial knowledge of the 
key as the trace distance between the distribution of the key and the uniform distribution, 
as is done in QKD. We should stress that our analysis is not just restricted to QKD. The 
same analysis applies whenever the authentication scheme under study is used with a key 
that has a small but non-zero trace distance to the uniform. 

Related work, and contribution of this paper 

The security of the WCA scheme as used in QKD was studied in [10] where the observation 
was made that, for the WCA scheme with partially known authentication key, an active 
attack is not always needed to weaken the system. The attacker can, in essence, wait for a 
beneficial moment and only launch an active (guessing) attack at that moment. The paper 
also proposes a countermeasure to this that is simple to implement. 

A more recent paper [18] extends the security of the WCA scheme to the Universally 
Composable (UC) framework, proving that the scheme is UC-secure if the authentication 
key is perfectly secret. In the same paper, the Composability Theorem [5] is used to further 
extend the result to the case with partially known key, but due to the complexity of the UC 
framework and the composability theorem, the existence of the guessing attack mentioned 
above, and ultimately the differences between questions of Confidentiality and Integrity, 
there has been some discussion as to the meaning and appropriate statement of this result 

P3III21I251. 

In this paper, we aim to resolve the issue by providing upper bounds for failure probability, 
both for the problem discussed in [10] and for witness indistinguishability as used in the UC 
framework. This is done for the case of partially known key using a direct proof, without 
using the Composability Theorem. We first show that, if the authentication procedure has 
a failure probability e; the authentication key has an e' trace distance to the uniform; and 
the adversary has seen a valid message-tag pair, then the adversary's success probability of 
breaking the authentication is only bounded by e + \T\s', where |T| is the size of the tag 
space. This is significantly larger than what one would expect from the bound emerging from 
the UC framework. Despite this, we are able to prove directly that the authenticated channel 
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is distinguishable from an authentic channel (the desired functionality) with probability less 
than e + e' . 

The structure of the paper is as follows. Some background on Universal hashing and its 
use in constructing ITS authentication will be given in Section [2j In Section [3j we present 
some properties of subset probability from distributions at nonzero trace distance from the 
uniform, that are needed in the security proofs. The ITS security bound of the scheme when 
using partially known key is proved in Section HI and the implications of the high bound is 
discussed at the end of the section. In Section [5j we prove indistinguishability of the scheme 
from the ideal functionality when using partially known key. Section [6] concludes the paper. 

2 Background 

In this section we present some necessary background that facilitates understanding of the 
whole paper. First of all, we need to specify the measure of partial knowledge to be used. 

Definition 1 (The trace distance). This is also known as the variational distance or the 
statistical distance between two probability distributions Px and P' x , and is 



When we discuss security of a key in this paper, the following notion will be used. 

Definition 2 (Perfectness). A key k is called perfect if it is uniformly distributed from 
the adversary's point of view; a key k is called ^-perfect, if its distribution has an e trace 
distance to the uniform. 

The family of functions used to create the tags are defined as follows. Let M. be the set 
of messages and T be the set of tags, both finite and T typically much smaller than Ai. 
Also, let % be a set of functions from M. to T. The appropriate set of functions to use in 
ITS authentication is the following. 

Definition 3 (Strongly Universal). The set H is a Strongly Universal (SU2) hash 
function family if (a) for any mi 6 M and any t\ G T there exist exactly \%\/\T\ hash 
functions h e "H such that h(m\) = t\, and (b) for any 1712 G M. (distinct from mi) and any 
£2 £ T (possibly equal to t\), the fraction of those functions such that h{m,2) = £2 is 1/|T|. 
If the fraction in (b) instead is at most e, the family 7-L is e- Almost Strongly Universal 



When proving security of an authentication scheme, there are two probabilities to bound: 
the probability of success in an impersonation attack, and the probability of success in a 
substitution attack. In an impersonation attack, the adversary pretends to be a legitimate 
user and tries to generate the correct tag for a (forged) message with no additional informa- 
tion, as would be given by a valid message-tag pair. In a substitution attack, the adversary 
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intercepts a valid message-tag pair and tries to replace it with a new message-tag pair. This 
latter attack is more powerful than the former [TJ]. 

It is fairly straightforward to see that £-ASU2 hash functions can be used to construct 
unconditionally secure authentication schemes in a natural way. Let Alice and Bob share a 
secret key k to identify a hash function in a family TL of e-ASU2 hash functions from Ai 
to T . Alice sends her message m along with t = hk(m) to Bob. Upon receiving m and t, Bob 
verifies the authenticity of m by comparing hk(m) with t. If hk(m) and t are identical, then 
Bob accepts m as authentic; otherwise, m will be rejected. 

Now, if Eve tries to impersonate Alice and sends m' without knowing the key k, or hk, 
the best she can do is to guess the correct tag for m! . The probability of success in this 
case is 1/|T|. Even if Eve waits until seeing a valid message-tag pair (m,t) from Alice, the 
probability of guessing the correct tag t! for m' is at most e; cf. Def. 3(b). In other words, 
even seeing a valid message-tag pair does not increase Eve's success probability above e. 
Therefore, by using a family of e-ASU2 hash functions with suitably chosen e, one can 
achieve unconditionally secure message authentication. 

In this scheme, however, a key cannot be used more than once, because a repeated use 
of the same key may give Eve enough information to forge a valid message-tag pair; Def. 3 
does not say anything about set sizes for three message-tag pairs. Therefore, in the mode 
of operation considered here, WCA, a new secret key is used for each authentication. The 
key length for typical known families of £-ASU2 hash functions is logarithmic in the message 
length log |7W| [31llll6llTt lTlHT6l l20H23j . where log denotes the binary logarithm. Hence, the 
key-consumption rate of WCA is logarithmic in the message length. 



3 Probabilities of sets with non-uniform underlying distribution 



In what follows, we will need some simple results of probabilities of subsets of key values, or 
hash functions, when the key is e-perfect. In general we denote the probability of a subset 
of values X' C X by 



P X (X') = Px( 



First we note a simple property of the probability of a subset of X, when the distribution 
has a nonzero trace distance to the uniform distribution. 

Lemma 1. If the trace distance between Px and the uniform distribution is e, then for any 
subset X' C X , 

\X'\ 



X 



< e. 



(2) 



Px(X') 

Also, there are subsets that reach the bound. 

Proof. With X + := {x e X : P x (x) > 1/\X\} and X_ := {x G X : P x (x) < 1/\X\}, it is 
straightforward to see that 



1 

W\ 



\x\ 



\X-\ 

JxJ 



Px{X-). 



(3) 
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Now, for any subset X' C X, we have 

Px(X') - ^ < Px{X' n X + ) - < P X (X + ) ~ l -§l = e (4) 



and also 



'• r| Px(X') < ^'Z XA ~ p x{*' H X-) < %l - Px(X-) = e. (5) 



\x\ K \x\ K ' - \x\ 

This proves the inequality, and the subsets X' = X + and X' = X- both reach the bound. □ 

From this lemma follows a bound for the conditional probability of an even smaller subset 
of X, when the distribution has a nonzero trace distance to the uniform distribution. We 
will use this later when discussing security with preexisting partial knowledge and additional 
gained knowledge in the message exchange. 

Theorem 1. If the trace distance between Px and the uniform distribution is e, then for 
any subsets X" C X' C X , 



\X"\ 



\x 



Px(X"\X')-L^ <J^L e . (6) 

Also, there are subsets which reach the bound. 
Proof. The conditional probability can be written 

p (x»\x>\ Px{x " ] - Px{x " ] Px{r\x") y l 

X[ ' ' Px(X') P x (X")+Px(X'\X") V Px{X") ) ' 

To bound this from above, we need an upper bound for Px{X") and a lower bound for 
Px{X' \ X"), both of which can be obtained using Lemma CD, 

Px{X")<^+e- P X {X'\X")> -e. (8) 

These give us the upper bound 

Similarly, from Lemma [U we also know that 

Px{X " ] ] ~JX\ £] P *( X '\ X ")^ lX \x*" l +£ - ^ 
These give us the lower bound 

Px(x « | x ~) = ( i + ^\f))" > L + + £ V' = i£!i _ J£L. (a, 

V Px(X") ) ~\ lgl- e J \X'\ \X'\ 

This proves the inequality. The bound can be reached in several ways, for example when 
(X+ U X_) C A" and A?" = X+. □ 
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Using the above theorem, we can derive a bound for the trace distance of the conditional 
distribution of x on a subset X' C X. This will be useful when discussing trace distance in 
relation to security later. 

Theorem 2. If the trace distance between Px and the uniform distribution is e, then given 
a subset X' C X , the conditional distribution of x on X' has trace distance to the uniform 
(on X' ) that is bounded by 



\Y,\Px{x\X>) 



1 



For certain subsets X' , the bound is reached. 
Proof. It is straightforward to see that 

1 



X' 



< 



\x\ 

\X' 



\ \Px(x I X') 



x&X' 



\X' 



p x (x + nx'\x' 



\x+ n x'\ 
\x 7 \ 



< 



\x\ 
\x 1 \ 



(12) 



(13) 



where the inequality follows from Theorem [TJ The bound is reached when X + U X_ C X'.O 



4 Information-theoretic security with partially known key 

In this section we analyse security of the authentication scheme under study in information- 
theoretic setting, in the scenario where the key has a small but non-zero trace distance to 
the uniform. The WCA scheme uses e-ASU2 hashing, and is e-secure, meaning that the 
probability of success in a substitution attack is bounded above by e, if the authentication 
key is uniformly distributed (perfect). We will now analyse what happens when this is not the 
case, when the trace distance to the uniform is nonzero. This means that the authentication 
key is a random variable K to Eve, and we use e' to denote its trace distance to the uniform. 

We will start by giving an example of how large Eve's probability for a successful sub- 
stitution attack can become, even when using a SU2 family. Since we are talking about a 
substitution attack, we need to calculate the probability conditioned on Eve having seen a 
message-tag pair (m, t) from Alice. One possible distribution is 

r + e', if k £ JC+ = {k + } 

p K{k)=l^-e' ] tv if^/C_ (14) 
[j^r, otherwise. 

This has trace distance e' to the uniform. If e' > 1/|/C|, the set /C_ must contain more 
than one value. (Compare with the distribution used in [10] where Px{k) = if k £ /C_; 
Pxik) = 1/(|/C| — |/C_|) if k £ /C + = K \ /C_; and e' = |/C_|/|/C|.) It is easy to see that 
Eve's probability for success, without more information on K, is maximal if she chooses 
= fk + (jn~E) and is such that £e 7^ /a:_(^e) for all £ /C_. Since the hash function 
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family is SU2, \{k : fk{rn E ) = t E }\ = |/C|/|T|, and this set contains k + but excludes /C_ so 
that 

Pr {MmE) = iE} = ±. + e + ( H - 1)^ = m ^ + , = _L + (15) 

It is also easy to see that Eve's probability for success increases if she sees a valid message- 
tag pair (m,t = /if (to)). Eve's gain will now depend on m, and her gain is maximal if both 
fk+{m) — t and fk_(m) = £ for all A;_ G /C_, so that 

Pr {f K (m) =t} = M_L + £ ' _ |/C_|e'^ = ^. (16) 

If e' is small, there will exist such messages m. Since the hash function family is SU2, 
\{k : ^(we) = £e A /fe(m) = t}| = |/C|/|T| 2 , and again this set contains k + but excludes /C_. 
Therefore 

Pr {f K (m E ) = t E I f K {m) = t} 



Pr{f K (m E ) =t E Af K (m) = t} 
Pr {f K (m)=t} 



IAIj -J^ + e' • 

T\ IT 1^1 



Note that this is an equation, not an inequality. Before seeing (m, t) Eve's probability of a 
successful message insertion attack equals 1/|T| +e'. After seeing (m,t), Eve's probability 
of a successful substitution attack equals 1/|T| + |T|e'. 

This might be taken as cause for alarm, but one should note that this is message- 
dependent: not all message-tag pairs (m, t) will cause such an increase. It was pointed out 
already in [TO] that the message and used key value may be such that Eve may have this 
unexpectedly high probability of success. On the other hand, in some situations (here, when 
fk+( m ) 7^ t), Eve will instead find out that her most likely key value was, in fact, not used, 
and that she must remove it from the set of possible key values. In this case, the information 
she had becomes unusable; she will have lost information. But, importantly, Eve can find 
out if there was a gain or not, before performing an active (guessing) attack, by using her 
distribution of K and the received message-tag pair from Alice. Eve then only performs 
an active attack if her success probability has increased (sufficiently, see [ID])- From Alice's 
point of view, the probability of having her message-tag pair and a successful attack from 
Eve is 1/|T| + e', but this probability is per round, not per guess (by Eve). Eve does not 
need to reveal herself by guessing frequently; she can wait for the beneficial case where her 
success probability is high [10]. 

Therefore, there is a clear need for an upper bound for the success probability in this 
situation. For general e-ASU2-based authentication, the following theorem holds. 
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Theorem 3. (Bound for guessing probability with partially known key.) Consider the WCA 
scheme based on e-ASUi hashing. If the authentication key is e' '-perfect (as random variable 
K to the adversary), the probability of a successful message insertion is bounded by 

Pr{f K (m E )=t E }<-^- + e'. (18) 

If in addition the adversary has access to a valid message-tag pair (m,t), the probability of 
a successful substitution is bounded by 

Pr {f K (m E ) = t E | f K (m) = t} < e + \T\e' . (19) 



Proof. The first inequality is obtained by applying Lemma [J] to the set {k G K : fk(rn E ) = 
t E }. Since the hash function family is e-ASU2 (Def. 3(a)), this set has the size |/C|/|T|, and 

\K2 1 1 1 

Pr {f K (m E ) = t E } < + a' = — + e'. (20) 

To bound the probability that the adversary sees (m, t) and performs a successful substitution 
attack, we denote the subset of authentication key values that gives (m, t) by 

K,' = {kelC:f k (m)=t}, (21) 



and where the attack succeeds by 



K" = {k E K. : / fc (m E ) = t E A f k {m) = t}. (22) 

We know from Def. 3 that |/C'| = |/C|/|T| and that |/C"| = e|/C|/|T|. So using Theorem CD, we 
have 

Pr {f K (m E ) = t E | f K (m) = t] = P K {K." \JC')<^ + ^e' < e + \T\e'. (23) 

□ 



This theorem tells us that the previous example really is a worst-case scenario, so that 
the upper bound for Eve's success probability after seeing a message-tag pair is e + \T\e'. 
Conversely, the example shows that the bound is sharp: there are situations where the bound 
is reached, so the bound cannot be lowered if one wants information-theoretic security. 

In the Universal Composability framework (to be discussed below), the relevant figure 
of merit is the trace distance to the uniform distribution, and not the guessing probability 
as given above. And also the trace distance increases by the same amount, in the beneficial 
case for Eve. The key is still random to Eve, but the distribution conditioned on her new 
knowledge that /ij^-(m) = t has a larger trace distance to the uniform. A uniform distribution 
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conditioned on /iftr(m) = t would be constant at |T|/|/C| (the set of still possible keys has 
the size |/C|/|T|), but in our example, if both fk+ijn) = t and /fc_(m) = t for all A;_ G /C_, 

p /i ii / \ Pr{K = k + Ah K (m)=t} P K (k + ) 

P K (k + \h K (m) = t) = — 



P{h K (m) = t} Pr{h K (m) = t} 

iri (24) 
= -^V- = £j + 17V. 

This forces the conditional distribution of the key to have a high trace distance to the 
uniform. As before, the example gives the worst-case scenario, and an upper bound for this 
trace distance is given by the following theorem. 

Theorem 4. (Bound for trace distance with partially known key.) Consider the WCA 
scheme based on e-ASU% hashing. If the authentication key is e' -perfect (as random vari- 
able K to the adversary), and the adversary has access to a valid message-tag pair (m,t), 
then the trace distance from the conditional probability to the uniform is bounded by 



2 

k:f k (m)=t 



P K (k\f K (m)=t) 



< \T\e'. (25) 



\{k : f k (m) = t}\ 

Proof. We use K! — \k 6 K : fk{ m ) — t} and immediately obtain the bound from Theorem[2J 
| \P K (k | K') - < = \}C\\E\ £ > = \r\s'. (26) 



2 

keK' 



\K'\ 1 1 /C 



□ 



Again, the bound is sharp because of the example: there are situations where the bound 
is reached, so the bound cannot be lowered if one wants information-theoretic security. Note 
that, again, that this depends on (m,t), and a similar argument as that used above applies 
to Eve's success rate. The upper bound is only reached in beneficial situations (for Eve). 

The example shows that the bounds cannot be lowered, but are only reached for certain 
(m,t). This means that the notion of ITS used here is ill suited for the situation. It works 
well for perfect keys, because there, the probability of a successful attack is equally bounded, 
with a low bound. It is clear that the situation is the same whether one looks at guessing 
probability or trace distance; there is a substantial, but non-constant increase. This is the 
reason to turn to the notion of indistinguishability, which is better suited for this situation. 



5 Indistinguishability from Ideal Authentication 

The notion of witness indistinguishability was first introduced in [12J. Here, we use the 
indistinguishability notion to prove that, despite the substantially high bound for ITS, the 
WCA scheme with an e'-perfect key is indistinguishable from the ideal authentication, except 
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Alice 



T 



Bob 




(m, t) 



(m' t t') 



Fig. 1: On the left is the ideal functionality: Alice gives her message m to the ideal func- 
tionality J 7 , which delivers it to Bob if it has not been modified on the channel {m! = m), 
otherwise the symbol _L is delivered. On the right is the real implementation in WCA: Alice 
uses the tag generation algorithm TAG to generate a tag t and sends (m, t). At the receiving 
end, Bob uses the verification algorithm VRFY to check if the received (m', t') is a valid 
pair. If not, the symbol _L is delivered. 



with probability e + e' . As a natural consequence, Universally Composable (UC) security of 
the WCA scheme with an e'-perfect key directly follows from our proof of indistinguishability. 

The ideal functionality of authentication, an authentic channel J 7 , connects Alice and Bob 
in such a way that Bob can be certain that any message output from the channel was sent 
by Alice. If the message was modified on the channel, the symbol _L is delivered, see Fig. [TJ 
In other words, messages received from J 7 are either authentic or blocked, and so cannot 
be successfully modified or substituted. Note that there is no confidentiality requirement, 
so the message can be read by anyone. The real implementation of authentication in the 
WCA scheme has three components, as depicted in Fig. [TJ a tag generation algorithm TAG, 
a verification algorithm VRFY, and a key source. Both TAG and VRFY use the same key. 
From an input message m, Alice uses TAG to compute a message-tag pair (m, t) where 
t = and fk is a hash function from an e-ASU2 family identified by k. Bob uses VRFY 

to verify a received message-tag pair (m',t'), and VRFY outputs m! if fkijn') = t' (for 
example if m' = m and t' = t), otherwise _L. 

The distinguisher (in UC terminology, the environment) Z should not be able to distin- 
guish the two systems, except with low probability. It can attempt to distinguish the two 
by controlling the input to the system (the message m), and the output from the channel 
(m' , t'). The systems should be indistinguishable even under the presence of an adversary A, 
and it is sufficient to consider the system under an adversary completely controlled by the 
environment [8J , a dummy adversary that only forwards the desired channel output from the 
environment. As is, the systems are trivially distinguishable because of the lack of a tag in 
the ideal system. We therefore add a simulator S to the ideal functionality, that adds a tag 
t that is generated from m using the appropriate key and hash function to make it indistin- 
guishable from the real case, and strips off any received tag t' after the channel. The name 
simulator also alludes to simulating the adversary, and is especially simple when simulating 
the dummy adversary. 

We now want to ensure that the environment Z cannot distinguish between the two 
cases (a) it is interacting with A and participants running the WCA scheme or (b) it is 
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Fig. 2: On the left is the ideal case: the ideal functionality T and simulator S complete 
with key input. On the right is the real case: the WCA scheme and an adversary A. The 
environment Z wants to distinguish between the two given all the input and output from 
the system. 

interacting with S and participants running J 7 , except with low probability (see Fig. [2]). 
Perhaps we should point out that the description here differs slightly from that of [18] . The 
WCA scheme is resolved in somewhat finer detail and is separated from the participants, 
and the ideal functionality is that of an authentic channel rather than an immutable but 
blockable channel. This is done solely for the purpose of clear comparison of the real and the 
ideal cases, and does not affect the results of the security evaluation. Now, having set the 
stage, we can state our main theorem. 

Theorem 5. (Indistinguishability) No distinguisher Z can distinguish between the two cases 

(a) it is interacting with A and participants running the WCA scheme based on e-ASU^ 
hashing using e' -perfect authentication key, or 

(b) it is interacting with S and participants running T 
except with probability e + e'. 

Proof. In the proof, the message given to Alice is denoted X and its distribution is in control 
of the environment Z. The authentication key K is used to select fx that in turn is used 
to generate the tag. The key distribution is not in control of Z, and has e' trace distance to 
the uniform. The corresponding output message-tag pair is denoted Y . The channel output 
is denoted Y' and is again in control of Z. The output of the real and ideal functionality is 
denoted A and X, respectively and take values in Ai U {J-}. Thus, the environment Z has 
access to the joint random variables XYY'X in the real case and XYY'X in the ideal case. In 
both cases, Z is in control of X and Y' . The random variable Y has an identical distribution 
(conditioned on the value of X) in both cases, so distinguishing the two systems can only be 
done from the output A or X, if the output is different from X and also not _L. This is only 
possible in the real implementation, and the probability of this is Pr{A / 1M / A}. 
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This can also be studied through the trace distance between the two distributions 

^(^XYY'X i PxYY'x) = 9 Ys ^XYY'X ( m > Vi V ' X ) — ^XYY'X ( m ' ViV i X ) 



2 

m,y,y' ,X' 



(27) 



Above, the index x' runs over .M U{_L}. Since the real and ideal cases are indistinguishable if 
m = x', the above sum simplifies to the terms where m ^ x' . Furthermore, if m ^ x' the ideal 
functionality fF always outputs JL. We can therefore change the name of the index to ml since 
it now runs only over Ai, and we find that the trace distance equals Pr{X ^1AX^ X}, 
because 

5(p xyy , x , Pxyy'x) = Y p xyy>x {™, y, y', m ') = Pr {* MAI/I} 

m,y,y' ,m'j^m 

= Y Px{m)P Y \x({rn,t)\m)P Y '\xY({rn\t')\rn, (m,t))P x \ XYY ,(m'\m, (m,t), (m',t')) 

m,t,t' ,m'j^m 

= Y Px{m)PT{h K {m) = t} P Y ,\ Y ((m, t')\(m,t)) Pr {h K (m) =t'\h K {m) =t] 
= Yl Px(m)PY>\Y{(m',t')\(m,t))Pr{f K (m') = i! A f K (m)=t}. 

m,t,t' ,m'y^m 

Now, the simple bound Pr{/x(m') = if A fx( m ) — t} < e/\T\ + e' (from Lemma [If only 
gives 

5{P XYY , X ,P XYY , X ) = Y Px{m)P Y >\y({m',t')\{m,t)) Px{f K {m') = if A f K {m) = t} 

m,t,t' ,m'^m 

< Y Px(rn)PY'\ Y {(m\t%m,t))(^r+s') =e+\T\ef, 

m,t,t' ,m'j^m 

and that is insufficient for our purposes. This occurs for the same reason as the high bounds 
in Theorems [3] and HJ the upper bound for the individual terms is this high, but the bound 
is not reached for all (m,t). Here, we can do better by bounding the expression 

Y Py>\ Y ((m',t')\(m,t))Pr{f K (m') =if A f K (m)=t} 

t,t' ,m'^m 



instead of the individual terms. The probability Py'\y( {mf, t')\(m, t)) corresponds to the 
adversary's attack strategy: given a message-tag pair on the input to the channel, choose 
what to substitute as output from the channel. If the adversary uses a deterministic attack, 
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meaning that (m! ,t') are functions of (m, t), we immediately obtain 

PY>\Y((m',t')\{m,t)) Pr{f K (m') = t' A f K (m) = t} 

= ^Pi{f K (m'(m,t)) = t'(m,t) A f K (m) = t} 



= Pr [\J{f K (m'{m,t)) =t'{m,t) A f K {m)=t] 
t 



The sum can be rewritten as the probability of a union because the events are disjoint, and 
the inequality is obtained from Lemma [U The remaining average over m has no effect on 
the bound. 

If the adversary has a randomized attack, we can introduce an auxiliary probability space 
(tl, J 7 , /i) for the random variable Y' = (X',T'), where Q is the sample space, T is the a- 
algebra of events, and /i is the probability measure. Using the indicator function \ we can 
write 

Py/|y((m / ,t')|(m,t)) = / X{uen:Y'{m,t,u)=(m',t>)}(u) dfi. (28) 

J Q 

We note that for each fixed sample u, the attack is deterministic. The above approach now 
gives 

PY>\Y((m',t')\(m,t)) Pr{f K (m') = t' A f K (m) = t} 

t,t' ,m'^m 

= ^ / X{u£Q-Y>tm,t,w)={m',V)}{u) djJ,Pl{f K (m') = t' A f K (m) = t} 

= I J2 Fl {fK(X'(m,t,u)) =T\m,t,u) A f K (m) = t} dfx 
Jn t 

< / e + e' dfi = e + e'. 
Jn 

Again, the remaining average over m has no effect on the bound. □ 
Now, the UC security of the WCA scheme with a partially known key follows immediately. 



Corollary 1. (UC security) Consider the WCA scheme based on E-ASU2 hashing. Assume 
that the authentication key k is e' -perfect. Then the WCA scheme is e + e'-UC-secure. 

6 Conclusions 

We have presented a detailed security analysis of Wegman-Carter authentication with failure 
probability e, in the case of partially known key whose distribution is e' trace distance from 
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the uniform distribution. We proved tight upper bounds for the adversary's success probabil- 
ity of breaking the scheme with impersonation and substitution attacks in the information- 
theoretic setting, with success probability upper bounded by 1/|T| +e' and e+ \l~\s' , respec- 
tively. The latter is substantially higher than expected, but we give an example that reaches 
the bound, meaning that the bound is sharp. Also in terms of trace distance, a similar in- 
crease can be noted. The best possible upper bound to the trace distance after having seen 
a valid message-tag pair is \T\e'\ the same example tells us that this bound is sharp. 

Since the bounds we obtained are substantially higher than what one would expect, we 
also analyze whether the scheme is secure in terms of witness indistinguishability. Despite 
the high success probability bound and increase in trace distance, we prove that the authen- 
tication under study is indeed indistinguishable from the ideal functionality, except with 
probability less than e + e'. We provide a direct proof for the case of partially known key, 
without using the composability theorem. Naturally, UC security of the scheme with partially 
known key follows from our proof of indistinguishability. 

These results seem to contradict each other, but they do not. The first should be under- 
stood as pointing out that the attacker will have high success probability in some rounds, 
after having seen a valid message-tag pair. The second shows that this happens seldom 
enough to retain the expected security. The important lesson is that the attacker can refrain 
from performing an active attack, if the success probability is low after having seen a valid 
message-tag pair. This is because she can calculate her success probability from available 
knowledge on the key and the additional information obtained from a valid message-tag pair. 
In essence she does not need to reveal herself at each attempt to break the system, but needs 
only take this risk when the success probability is high. The security parameters should not 
be read as "the probability that an attacker is revealed, in each attack" but rather "the 
probability that the system is broken, in each round." It is important to keep this in mind 
when using this type of authentication, and of course, the size of the security parameters e 
and e' should be chosen accordingly. 
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